As the use of licensed software become more common, the need for secure enablement of software entitlements increases commensurate with this usage. Enablement is the process of a client acquiring proof of an entitlement to a product or service from a vendor that is needed before the product or service can be used. Enablement can take place via the Internet, telephone, or other means. For telephone enablement, a client side user, or customer, may call a vendor side customer service representative (CSR) or an interactive voice response (IVR) system. During the call, the user provides the vendor enablement information, either by reading an enablement code or punching it in to a telephone keypad, and receives back from the vendor a validation code to unlock the product or service for use.
Enablement over a telephone channel is limited to a relatively narrow bandwidth due to human involvement in the process. This narrow bandwidth limits the length of the information that can be exchanged. For example, a user cannot be expected to read or record an extraordinarily long string of digits over the phone. In addition to the inconvenience of reading or entering a long string of digits, long codes can cause data entry errors, leading to user frustration. Also, security measures may limit the number of chances a user gets for entering digits, thus locking out a user if a data entry error occurs multiple times. However, a validation code needs to meet certain security requirements to prevent piracy. Specifically, the code should be specific to an entitlement, be hard to generate by anyone but the software vendor, and depending on the circumstances, be limited to use by one or a limited group of computers. On the other hand, the validation code should be as short as possible so as not to unduly burden the person entering or reading the code over the telephone channel. Length poses a challenge because a shorter length limits the number of possible codes that a hacker needs to go through to get the correct code.
Prior security methods that aim to meet these requirements include the use of public key digital signatures or symmetric key encryption. Public key digital signatures use a pair of keys: a private key, which only the software vendor knows, and a public key, which is made publicly available. Something signed with the private key, such as a software program or unique validation code, can be verified only with the corresponding public key. This method often is used with Internet channel enablement. However, this method is not suited for enablement over channels with narrow bandwidth because public key digital signature algorithms produce code lengths of more than 78 digits at a minimal level of security.
In symmetric key encryption, the sender and receiver of messages share a single, “symmetric” key that acts as a “shared secret.” The shared key is used by both the sender and receiver to encrypt and decrypt the messages. However, the security of this method is limited to the degree that the shared secret can be protected. Thus, the use of this method of enablement is undesirable because storing a shared secret on a user's computer opens the secret to anyone who can access the user's computer, which can be debugged, scrutinized, or reverse-engineered. In addition, symmetric key encryption generally requires a longer key than desired for channels with narrow bandwidth.
Accordingly, there is a need to provide a secure activation process over channels with narrow bandwidth, such as telephone channels. Preferably, the security system uses a validation code that is specific to an entitlement, is hard to generate by anyone but the software vendor, and does not rely on shared secrets between the software vendor and the user.